In a decision that expands employee protection, the Ninth Circuit held that workers cannot be criminally charged under the federal Computer Fraud and Abuse Act (CFAA) for misusing electronic data to which they have authorized access through their employment. The decision departs from three other federal appellate courts’ broader interpretations of the CFAA, but it is consistent with district courts that have restricted the act’s reach.
Chief Judge Alex Kozinski, carefully parsing the terms of the statute in the 9-2 opinion, held that the CFAA prohibits intrusions that exceed authorized access to electronic data but does not apply to the misuse of data to which an employee already has rightful access. (U.S. v. Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012).)
David Nosal was a former employee of Korn/Ferry, an executive search firm headquartered in Los Angeles. Shortly after he left the firm, as part of his efforts to start a competing business, Nosal persuaded his colleagues at Korn/Ferry to download information from a confidential company database and transfer it to him. The employees had authorized access to the database, which was restricted by company policy to “Korn/Ferry business only.” As a result of the employees’ data disclosure, Nosal was indicted on 20 counts of trade secret theft, mail fraud, conspiracy, and violations of the CFAA because, the government alleged, he aided and abetted Korn/Ferry employees in “exceed[ing] authorized access” to the data with intent to defraud.
Nosal moved to dismiss the CFAA counts, arguing that the act applied only to hackers, not employees who have authorized access to data and then misappropriate it. The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The district court dismissed the CFAA counts for failure to state an offense, holding that the defendants did not exceed authorized access because they did not “alter” the data within the plain meaning of that word.
In affirming the district court, Kozinzki emphasized that Congress enacted the CFAA in 1984 to penalize computer hacking by outsiders—not actions by those who already have access to data. He also asserted that the government’s broad interpretation (which included use of a computer for an unauthorized purpose) “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” To illustrate that his concerns were not “chimerical,” Kozinski noted that a CFAA violation had been alleged by an employer in at least one wrongful discharge case where the employee had checked Facebook and her personal email at work. (Lee v. PMSI, Inc., 2011 WL 1742028 (M.D. Fla., May 6, 2011).)
Acknowledging that the majority opinion conflicted with broader interpretations of the CFAA rendered by the Fifth, Seventh, and Eleventh Circuits, Kozinski urged those courts to reconsider, citing district court decisions in Arizona, Georgia, Maryland, and New York that restricted the act’s reach.
“Employer-employee and company-consumer relationships are traditionally governed by tort and contract law,” Kozinski wrote. “The government’s interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”
Judge Barry Silverman filed a dissenting opinion, joined by Judge Richard Tallman. Silverman faulted the majority for parsing “a plainly written statute” in a “hyper-complicated way” that no other circuit had adopted. He also rejected Kozinski’s “far-fetched hypotheticals producing federal prison terms for accessing word games, jokes, and sports scores while at work.” The CFAA was “clearly aimed at, and limited to, knowing and intentional fraud,” like that Nosal was alleged to have committed, Silverman wrote.
Garrett Wotkyns, a Scottsdale, Ariz., attorney who represents plaintiffs in business tort litigation, said that Kozinski’s opinion had significance beyond the CFAA and employment law. “Most notable to me is its restraint,” he said. “The court passed up an open opportunity to federalize yet another area of substantive law, namely trade secret misappropriation as it relates to computers. There’s a gathering development to further federalize American legal life that traditionally was left to the states pursuant to their police powers. I see this as consonant with that tradition, and that’s a welcome decision,” said Wotkyns.